Patent Application
20100211797
The present patent application claims the priority benefit under 35 U.S.C. ยง119 to the filing date of European Application (EPO) No. 09152819.0, filed Feb. 13, 2009, the entire content of which is incorporated herein by reference in its entirety.
The present invention relates to a method for securely providing a control word from a smartcard to a conditional access module, a method for securely obtaining a control word in a conditional access module from a smartcard, a smartcard for securely providing a control word to a conditional access module, a conditional access module of a receiver for securely obtaining a control word from a smartcard and a receiver for descrambling scrambled data.
Conditional access systems are well known and widely used in conjunction with currently available pay television systems. At present, such systems are based on the transmission of services scrambled with control words (also referred to as service encryption keys) that are received by subscribers having a conditional access module (CAM) and a smartcard for each subscription package. Typically these services are transmitted by a head-end system in a broadcast stream. Implementations are known wherein CAM functionality is integrated in receiver such as a set-top box, a television, a personal video recorder, a mobile phone, a smart phone or a computer appliance. The smartcard is typically a separate card that is manually inserted into the CAM before operation, but can be integrated in the CAM. The smartcard for a subscription package from a particular service provider allows the scrambled services to be descrambled by a descrambler within the CAM and viewed. The broadcast stream further typically contains entitlement management messages (EMMs), also referred to as key management messages (KMMs), and entitlement control messages (ECMs), which are necessary for the smartcard to obtain the control word. ECMs are used to carry the control word in encrypted form. EMMs are used to convey the secret keys used to decrypt the ECMs in the smartcard to extract the control word, to decrypt other data related to the addition or removal of viewing/usage rights, and/or to decrypt other user-specific data.
Control word piracy is a significant problem in digital video broadcasting (DVB) systems. Sometimes attackers are able to intercept a control word that is transmitted from the smartcard to the CAM and redistribute it over local wireless networks or over the internet. The redistributed control word is then used to descramble the scrambled services without a legitimate smartcard.
A known method to protect control words communicated from the smartcard to the CAM uses symmetrical encryption to encrypt the control word under a shared key in the smartcard before transmission to the CAM and decrypt the control word in the CAM using the shared key. A weakness of this symmetrical encryption is the shared trust between the smartcard and the CAM in keeping the used encryption key secret. If a hacker manages to acquire or derive the key and provides multiple CAMs with the same key, encrypted messages can be decrypted and scrambled services can be descrambled by all the CAMs.
It is an object of the one or more aspects of the invention to provide an improved method for providing a control word from a smartcard to a CAM.
According to an aspect of the invention a method in a smartcard is proposed for securely providing a control word from the smartcard to a conditional access module of a receiver. The receiver is configured for interaction with a user, such as e.g. selecting a service on the receiver. The method comprises the step of obtaining diversification data from at least one of the smartcard and the conditional access module, wherein the diversification data is dependent on the user interaction. The method further comprises the step of generating an encryption key using a diversification function having as input the diversification data and having as output the encryption key. Typically the diversification function is a XOR function, but any other mathematical function may be used. The diversification function makes the encryption key dependent on the detected user interaction. The method further comprises the step of encrypting the control word using the encryption key to obtain an encrypted control word. If the diversification data is obtained from the smartcard, then the diversification data is provided to the conditional access module for generating a decryption key to decrypt the encrypted control word. The method further comprises the step of providing the encrypted control word to the conditional access module.
According to an aspect of the invention a smartcard is proposed for securely providing a control word to a conditional access module of a receiver. The receiver is configured for interaction with a user. The smartcard comprises at least one of a first detector and a second detector. The first detector is configured to detect a first user interaction, such as e.g. selecting a service on the receiver. The first detector is further configured to generate first diversification data dependent on the first user interaction. The second detector is configured to obtain from the conditional access module second diversification data dependent on a second user interaction, such as e.g. selecting a service on the receiver. The smartcard further comprises an encryption key generator configured to generate an encryption key with a diversification function. The diversification function has as input at least one of the first and second diversification data. The output of the diversification function is the encryption key. The smartcard further comprises an encryptor configured to encrypt the control word using the encryption key to obtain an encrypted control word. The smartcard is configured to provide the encrypted control word to the conditional access module.
According to an aspect of the invention a method in a conditional access module is proposed for securely obtaining a control word in the conditional access module of a receiver from a smartcard. The receiver is configured for interaction with a user, such as e.g. selecting a service on the receiver. The method comprises the step of obtaining in the conditional access module diversification data from at least one of the conditional access module and the smartcard, wherein the diversification data is dependent on the user interaction. If the diversification data is obtained from the conditional access module, then the diversification data is provided to the smartcard for generating an encrypted control word. The method further comprises the step of generating a decryption key using a diversification function having as input the diversification data and having as output the decryption key. Typically the diversification function is a XOR function, but any other mathematical function may be used. The diversification function makes the decryption key dependent on the detected user interaction. The method further comprises the step of receiving the encrypted control word from the smartcard. The method further comprises the step of decrypting the encrypted control word using the decryption key to obtain the control word.
According to an aspect of the invention a conditional access module of a receiver is proposed for securely obtaining a control word from a smartcard. The receiver is configured for interaction with a user. The conditional access module is configured to receive an encrypted control word from the smartcard. The conditional access module comprises at least one of a first detector and a second detector. The first detector is configured to detect a first user interaction, such as e.g. selecting a service on the receiver. The first detector is further configured to generate first diversification data dependent on the first user interaction. The second detector is configured to obtain from the smartcard second diversification data dependent on a second user interaction, such as e.g. selecting a service on the receiver. The conditional access module further comprises a decryption key generator configured to generate a decryption key with a diversification function. The diversification function has as input at least one of the first and second diversification data. The output of the diversification function is the decryption key. The conditional access module further comprises a decryptor configured to decrypt the encrypted control word using the decryption key to obtain the control word.
By adding diversification data to the diversification function whereby the diversification data depends on the user interaction with the receiver, it advantageously becomes difficult for another smartcard or conditional access module to follow the diversification function as the user interactions need to be followed exactly. As a result the encryption and decryption key used for encrypting and decrypting the control word in the smartcard and conditional access module, respectively, is unique to the smartcard and conditional access module and cannot be shared with other smartcards and conditional access modules.
Using the same diversification function in the encryption key generator and decryption key generator ensures that the encryption key and decryption key matches. The diversification data exchanged between the smartcard and the conditional access module need not be encrypted as the diversification function is kept secret. A hacker acquiring the diversification data thus cannot generate the decryption key.
The user interaction is e.g. the selection of a service on the receiver by the user. It is possible to detect other types of user interaction, such as pressing any button on the remote control or directly on the receiver, e.g. a button for changing the volume. When the receiver is equipped with external sensors, it is even possible to detect a temperature change, a motion of the receiver or a motion of the user near the receiver.
The embodiments of claims 2 and 8 advantageously enable the encryption key used for encrypting the control word in the smartcard to be dependent on previous control words. As a result it advantageously becomes more difficult for another smartcard to follow the diversification function as the control words need to be followed exactly.
The embodiments of claims 3 and 9 advantageously enable obfuscation of the encryption key within the smartcard. This advantageously makes it highly unlikely to reverse engineer the diversification function by analysing its output, i.e. the encrypted encryption key.
The embodiment of claim 10 advantageously enables that the encryption key cannot be derived from the diversification function.
The embodiments of claims 5 and 12 advantageously enable the decryption key used for decrypting the control word in the conditional access module to be dependent on previous control words. As a result it advantageously becomes more difficult for another conditional access module to follow the diversification function as the control words need to be followed exactly.
The embodiments of claims 6 and 13 advantageously enable obfuscation of the decryption key within the conditional access module. This advantageously makes it impossible to reverse engineer the diversification function by analysing its output, i.e. the encrypted decryption key.
The embodiment of claim 14 advantageously enables that the decryption key cannot be derived from the diversification function.
According to an aspect of the invention a receiver is proposed for descrambling scrambled data. The receiver is e.g. a set-top box. The receiver comprises a first descrambler configured to descramble a first part of the scrambled data. The receiver further comprises a second descrambler configured to descramble a second part of the scrambled data. The receiver further comprises the conditional access module having one or more of the features as defined above. The first descrambler is configured to use the control word obtained by the conditional access module to descramble the first part of the scrambled data (sd).
This advantageously enables the receiver to malfunction with a redistributed pirated control word, as multiple control words are needed to descramble the scrambled data.
The embodiment of claim 16 advantageously enables descrambling of higher bit rate scrambled video requiring more computation power in the second descrambler, which is typically implemented in hardware, and descrambling of lower bit rate scrambled audio requiring less computation power in the first descrambler, which is typically implemented in software. It is possible to have both descramblers implemented in hardware or software.
Hereinafter, embodiments of the invention will be described in further detail. It should be appreciated, however, that these embodiments may not be construed as limiting the scope of protection for the present invention.
Aspects of the invention will be explained in greater detail by reference to exemplary embodiments shown in the drawings, in which:
One or more embodiments of the invention provide a state based key exchange, wherein control words communicated between a smartcard and a CAM in a receiver are encrypted with a diversified key. The CAM is typically integrated in a receiver such as a set-top box, but can be implemented in other type of receivers like a television, a personal video recorder, a mobile phone, a smart phone or a computer appliance. The diversification is based user interaction with the set-top box, which is detected in the CAM, the smartcard or both.
The basic concept of the state based key exchange is shown in
Referring to
The detected user interaction is typically based on the selected service of the set-top box. Detection of the user interaction can be implemented in various manners. In the CAM 2 the user interaction is e.g. detected when the set-top box receives a remote control command or a button is pressed on the set-top box for changing a television channel. It is possible to detect other types of user interaction, such as pressing any button on the remote control or directly on the set-top box, e.g. a button for changing the volume. When the set-top box is equipped with external sensors, it is even possible to detect a temperature change, a motion of the set-top box or a motion of a person near the set-top box. In the smartcard 1 the user interaction is e.g. detected by monitoring a change in the contents of EMMs and ECMs being indicative of a change of the selected service.
Optionally the diversification functions uses the outcome of a hashing function in a hash generator 13 in the smartcard 1 and a hashing function in a hash generator 23 in the CAM 2 as additional input for generating the encryption key ek and decryption key dk, respectively. Generally, a hashing function is a mathematical function which converts data into a small datum, usually a single integer. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes. Various embodiments of the invention can use any known hashing algorithm. A hash value h1 is generated by a hash generator 13 in the smartcard and a hash value h2 is generated by a hash generator 23 in the CAM. The hashing functions in the hash generators 13 and 23 perform a calculation on the control word CW, a previous control word and a previous hash value. The outcome of the hashing function, i.e. the hash values h1 and h2, is then guaranteed equal only if all control words (i.e. current control word CW and previous control words) are the same for the hash generators 13 and 23. By adding the hash value to the diversification function, it advantageously becomes even more difficult for another CAM to follow the diversification function as the control words need to be followed exactly.
The hashing function (H) is defined as follows:
hash value=H(CW, previous control word, previous hash value)
The hashing function is initialized with a fixed pre-defined value for the hash value. The result is that the hashing function H will create an output which is based on the content of all the control words processed by this function after initialization. Any deviation between the control words on the smartcard 1 and CAM 2 will cause a key mismatch after the next detection of user interaction on either the smartcard 1 or the CAM 2 and generation of keys ek and dk. This functionality advantageously makes reverse engineering of the hash value and diversification function difficult due to the missing direct response.
The diversification function (DIV) in the smartcard 1 is defined as follows:
ek=DIV(diversification data, hash value h1)
The diversification function (DIV) in the CAM 2 is defined as follows:
dk=DIV(diversification data, hash value h2)
Optionally the diversification function encrypts the keys ek and dk with a Global Diversification key (GDk) stored in the smartcard 1 and CAM 2. The diversification function thus uses (symmetrical) encryption which can take the hash value from the hash generator 13 and the diversification data d1 and/or d2 and encrypt this data in e.g. cipher-block chaining (CBC) mode. The encrypted key is then used as key to encrypt/decrypt the control words in the encryptor 11/decryptor 21, respectively.
The diversification function (DIV) in the smartcard 1 is then defined as follows:
ek=E
GDk(DIV(diversification data, hash value h1))
The diversification function (DIV) in the CAM 2 is then defined as follows:
dk=E
GDk(DIV(diversification data, hash value h2))
Typically the diversification function is a XOR function, but any other mathematical function may be used.
The diversification function is optionally implemented as a software module that is protected by white-box cryptography or a software code obfuscation technique. Such protection ensures that the encryption key ek in the smartcard 1 and the decryption key dk in the CAM 2 cannot be derived from the diversification function. Moreover, intermediate results within the diversification function cannot be derived. Any known white-box cryptography or software code obfuscation technique can be used.
In a conditional access system scrambled data is typically broadcasted as a DVB stream comprising a multiplexed audio component and video component. The audio component has a relative low bit rate, e.g. 128 kbit/s, while the video component has a relative high bit rate, e.g. 2000 kbit/s. For descrambling high bit rate scrambled video the computational power of a hardware descrambler is needed. Descrambling low bit rate scrambled audio requires less computational power and can therefore be performed by software.
It is possible to descramble the video component with the first descrambler 31 and descramble the audio component with the second descrambler 32. It is also possible to have other parts demultiplexed from the scrambled data sd and have one or more of these parts descrambled by the first descrambler 31 while having other parts descrambled by the second descrambler 32.
For descrambling high bit rate scrambled video the computational power of a hardware descrambler is needed. Descrambling low bit rate scrambled audio requires less computational power and can therefore be performed by software. The first descrambler 31 is therefore typically a software descrambler. The second descrambler 32 is typically a hardware descrambler. To enable the software descrambler 32 the set-top box 3 is typically equipped with a memory and a processor for loading and running software. Software downloading and running capabilities of the set-top box can be used to add the software descrambling functionality to the hardware descrambling functionality of a set-top box.
In addition to the steps shown in
In addition to the steps shown in
| Number | Date | Country | Kind |
|---|---|---|---|
| 09152819.0 | Feb 2009 | EP | regional |
